GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-01 21:23:02 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 Crucial_CT250MX200SSD1 rev.MU04 232,89GB Running: gmer.exe; Driver: C:\Users\PC\AppData\Local\Temp\pxldapob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [5764] entry point in ".rdata" section 0000000073d3f7c0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6016] entry point in ".rdata" section 00000000726fa020 ? C:\WINDOWS\system32\ncryptsslp.dll [6016] entry point in ".rdata" section 00000000726d04f0 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveInAddBuffer 00007ff95a833350 7 bytes JMP 00007ff95fe20500 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveInClose 00007ff95a836a90 7 bytes JMP 00007ff95fe203b0 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveInGetPosition 00007ff95a836b00 7 bytes JMP 00007ff95fe20538 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveInOpen 00007ff95a836b20 7 bytes JMP 00007ff95fe20378 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveInPrepareHeader 00007ff95a836b30 7 bytes JMP 00007ff95fe20490 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveInReset 00007ff95a836b40 7 bytes JMP 00007ff95fe20458 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveInStart 00007ff95a836b50 7 bytes JMP 00007ff95fe203e8 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveInStop 00007ff95a836b60 7 bytes JMP 00007ff95fe20420 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveInUnprepareHeader 00007ff95a836b70 7 bytes JMP 00007ff95fe204c8 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveOutClose 00007ff95a836b90 7 bytes JMP 00007ff95fe201f0 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveOutGetVolume 00007ff95a836c20 7 bytes JMP 00007ff95fe20308 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveOutOpen 00007ff95a836c40 7 bytes JMP 00007ff95fe201b8 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveOutPrepareHeader 00007ff95a836c60 7 bytes JMP 00007ff95fe20260 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveOutReset 00007ff95a836c70 7 bytes JMP 00007ff95fe202d0 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveOutSetVolume 00007ff95a836cb0 7 bytes JMP 00007ff95fe20340 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveOutUnprepareHeader 00007ff95a836cc0 7 bytes JMP 00007ff95fe20298 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\WINMM.dll!waveOutWrite 00007ff95a836cd0 7 bytes JMP 00007ff95fe20228 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\DSOUND.dll!DirectSoundCreate8 00007ff93f5cc5a0 5 bytes JMP 00007ff95fe20180 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\DSOUND.dll!DirectSoundCaptureCreate 00007ff93f5e92c0 7 bytes JMP 00007ff95fe20570 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\DSOUND.dll!DirectSoundCaptureCreate8 00007ff93f5e93c0 7 bytes JMP 00007ff95fe205a8 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\DSOUND.dll!DirectSoundCreate 00007ff93f5e94f0 7 bytes JMP 00007ff95fe20148 .text C:\Windows\System\HsMgr64.exe[5824] C:\WINDOWS\SYSTEM32\DSOUND.dll!DirectSoundFullDuplexCreate 00007ff93f5e9610 5 bytes JMP 00007ff95fe205e0 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00007ff9616e0220 5 bytes JMP 00007ff94c642da0 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00007ff96173cc40 5 bytes JMP 00007ff94c642c60 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00007ff961755170 5 bytes JMP 00007ff94c642f30 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff961755350 5 bytes JMP 00007ff94c6425a0 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff961755590 5 bytes JMP 00007ff94c642410 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff961755650 5 bytes JMP 00007ff94c6429a0 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff961755750 2 bytes JMP 00007ff94c642940 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent + 3 00007ff961755753 2 bytes {JMP 0xffffffffffffffd3} .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeThread 00007ff961755890 5 bytes JMP 00007ff94c6427d0 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff961756360 1 byte JMP 00007ff94c6429f0 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00007ff961756362 3 bytes {JMP 0xffffffffeaeec690} .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff9617564c0 5 bytes JMP 00007ff94c642aa0 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateUserProcess 00007ff9617565e0 5 bytes JMP 00007ff94c642b50 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff9617570e0 5 bytes JMP 00007ff94c642a50 .text C:\WINDOWS\system32\AUDIODG.EXE[6280] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff9617571c0 5 bytes JMP 00007ff94c642b00 ? C:\WINDOWS\system32\apphelp.dll [6452] entry point in ".rdata" section 0000000073d3f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [1056:1120] ffffa6506fe96c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x5B 0x46 0xAE 0x46 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x77 0x57 0x0B 0x40 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x04 0x80 0xAE 0x46 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xA1 0xA4 0x0B 0x40 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 25 Reg HKLM\SYSTEM\CurrentControlSet\Control\DeviceMigration\Devices\SWD\MMDEVAPI\{0.0.0.00000000}.{0EFBBDB9-312C-4376-AB85-5843AB727E4C}\Interfaces\{e6327cad-dcec-4949-ae8a-991e976a79d2}\Properties\{a2a3fff4-353f-407c-9d86-1f9dc7d5a606}\0002@ 0x64 0x62 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\DeviceMigration\Devices\SWD\MMDEVAPI\{0.0.0.00000000}.{4384240C-22AA-4CB1-846B-6F3DC52DD406}\Interfaces\{e6327cad-dcec-4949-ae8a-991e976a79d2}\Properties\{a2a3fff4-353f-407c-9d86-1f9dc7d5a606}\0002@ 0x64 0x62 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\ENC242156381043_10_07DD_49^5DBAD3207F7C4EDE08B520A0A5F4B9A6@Timestamp 0x6C 0x0F 0x79 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\PC\AppData\Local\Temp\nsyA9A8.tmp\??\??\C:\Users\PC\AppData\Local\Temp\del9119.tmp?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710622 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 76478803 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 39 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 487837171 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 15237 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 56f8904a-6533-42fc-98aa-b1ec11f Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 5 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\1394ohci\Parameters\Wdf@TimeOfLastTelemetryLog 0x3E 0xD3 0x07 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\AVGIDSHA\Parameters@Reboot 40 Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0xC6 0x67 0x28 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xA5 0x5E 0xCA 0x98 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{6e3e919d-146f-475d-905e-7a229c7545f7}@LastProbeTime 1477856082 Reg HKLM\SYSTEM\CurrentControlSet\Services\EhStorClass\Parameters\Wdf@TimeOfLastTelemetryLog 0xD9 0xEA 0xB9 0x95 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\EhStorTcgDrv\Parameters\Wdf@TimeOfLastTelemetryLog 0x49 0xBF 0x4D 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x2C 0xD4 0xDF 0x98 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastTelemetryLog 0x28 0x37 0x24 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0xCC 0xCA 0x9A 0x91 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog 0xAD 0x3C 0x4C 0x95 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x4A 0x85 0x24 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rzudd\Parameters\Wdf@TimeOfLastTelemetryLog 0x50 0x71 0x2B 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3040 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 514 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 24 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9920e861-c458-4d67-b298-1bc5d7ed207a}@LeaseObtainedTime 1478001526 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9920e861-c458-4d67-b298-1bc5d7ed207a}@T1 -669482123 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9920e861-c458-4d67-b298-1bc5d7ed207a}@T2 2014872437 Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0xA5 0x5E 0xCA 0x98 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog 0xF2 0x9B 0x4A 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog 0xF0 0xE1 0x39 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog 0xCB 0x3B 0x6B 0x95 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x1C 0xFC 0xA4 0xFA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x1C 0x64 0x69 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x1C 0x94 0xE0 0x98 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters\Wdf@TimeOfLastTelemetryLog 0xBF 0xCC 0xCC 0xA1 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\MMDEVAPI\{0.0.0.00000000}.{0EFBBDB9-312C-4376-AB85-5843AB727E4C}\Interfaces\{e6327cad-dcec-4949-ae8a-991e976a79d2}\Properties\{a2a3fff4-353f-407c-9d86-1f9dc7d5a606}\0002@ 0x64 0x62 0x02 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\MMDEVAPI\{0.0.0.00000000}.{1BB37C72-7E67-468E-B95E-64B988A72E91}\Interfaces\{e6327cad-dcec-4949-ae8a-991e976a79d2}\Properties\{a2a3fff4-353f-407c-9d86-1f9dc7d5a606}\0002@ 0x64 0x62 0x02 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\MMDEVAPI\{0.0.0.00000000}.{4384240C-22AA-4CB1-846B-6F3DC52DD406}\Interfaces\{e6327cad-dcec-4949-ae8a-991e976a79d2}\Properties\{a2a3fff4-353f-407c-9d86-1f9dc7d5a606}\0002@ 0x64 0x62 0x02 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\MMDEVAPI\{0.0.0.00000000}.{F46DD665-6252-43B3-A53A-94B70BC9AFDB}\Interfaces\{e6327cad-dcec-4949-ae8a-991e976a79d2}\Properties\{a2a3fff4-353f-407c-9d86-1f9dc7d5a606}\0002@ 0x64 0x62 0x02 0x00 ... ---- EOF - GMER 2.2 ----